Is the CISO-as-a-Consultant Model Obsolete?

Daniel Wallace, CISSP, PMP, Information Security Consultant at Grow Forward

Perhaps lost beneath all of the talk about regulation, SaaS, and Web 2.0 at the Gartner Information Security Summit in Washington, D.C last week was the prediction that information security jobs in the future will focus less on technology and more on risk management.

I did not attend the conference but I have been following the commentary, blogs and twitter posts of some who did attend and I am inclined to agree with the Gartner conclusions as they were reported.

In the 15 years I have been advising IT executives I have observed a couple of shifts in the role of information security and the CISO. I have also seen the emergence of risk management as a core competency turn hot then cold several times.

My belief is that CISO’s have always been at least somewhat focused on risk management though their approach often could use refinement.

If CISO’s have not been as effective as they could be in managing or mitigating risk this may be because of the way risk management and CISO’s in particular are aligned with each other and positioned in the organization.

Back some time ago when CISO started appearing on organization charts often somewhere in the CIO’s organization the role was essentially an information protection “jack of all trades”.

Often someone who worked their way up the ranks of the infrastructure support function perhaps cutting their teeth by maintaining Checkpoint firewalls was now in charge of security technologies, policies, and procedures.

This preventative control centric CISO unilaterally decided what security measures to deploy even though most of the burden related to implementation and sustain fell to the business line.

Because this burden was borne by the business the CISO had no incentive to exercise restraint which resulted in the appearance of a “security at any cost” mindset.

Then something started to change, technology began to mature and so did the CISO role.

CISO’s came around to seeing themselves as consultants and many were able to fashion a role whereby it was their job to quantify the risk and advise the business on the appropriate controls to mitigate the risk.

The business owned the risk and operations turned the wrenches.

This consultant model was a “bottom-up” approach to risk management giving the business more control over security decisions and risk acceptance. The theoretical aspects of pushing decision making down closer to the business appear reasonable but in this instance examining the details of actual practice will reveal serious flaws.

In theory the consultant model is designed to work like other decentralized decision making initiatives.

The business is informed by the consultant CISO about its information security risks, exposure and the associated cost of mitigation. The business then chooses a level of control based on its risk appetite.

The residual risk is documented in a risk acceptance form and filed away in the CISO’s office or a Sharepoint site. In practice, CISO’s are often held accountable for losses resulting from the business units’ risk acceptance decisions.

The business has an incentive to accept more risk than they would if they had to absorb the downside of their decisions. The result is that firms are taking on an unjustifiable level of information risk and CISO’s are being held accountable for decisions that are not their responsibility.

Although this responsibility vs. accountability disconnect is not an existential problem for the business lead, it can be a career-threatening one for a CISO.

Compounding the problem for the consultant CISO in the shorter term is that budgets are under downward pressure while the risk of fraud, insider theft and 3^rd party exposure is going up. Longer term the financial crisis has forced firms to re-focus on systemic risk resulting in a revival of top-down Enterprise Risk Management efforts.

To thrive in the top-down model CISO’s will need to master skills usually associated with a business executive namely risk management, relationship management and process management.

The same forces that are pushing the transition to holistic risk management are also resulting in the “CISO as consultant” model being called into question. The savvy CISO will view and act upon this change of mindset as if it were a golden opportunity.

Revived interest in a holistic approach to risk management could lead to information security being uncoupled from IT and integrated with broader enterprise risk management efforts.

As the Gartner analysts predicted at the summit in DC, CISO’s will likely be expected to focus less on information risk and more on the risks to business competitiveness.

By taking their rightful place in the ERM function and reclaiming rights over information risk acceptance decisions, CISO’s can secure their own careers, make life easier for business-line executives, and improve their firms’ residual risk profile.

CISO’s still need to engage and accommodate the business, but they serve their firms best as decision makers, not consultants.

In order make the optimal business-driven decisions necessary to thrive in the ERM function a CISO will need several key attributes:

• They will need to be grounded in multiple protection disciplines
• A CISO will need to be a skilled project and/or program manager who is well versed in project governance policies and routines
• A life long passion to learn will be critical
• An in depth understanding of business models and accounting/budgeting systems
• Interpersonal skills that are both diplomatic and adaptable
• The CISO will need to be adept at framing issues as risk management instead of in terms of confidentiality, integrity and availability
• Formal education, professional training and certifications will still be important

If these qualities make a CISO sound more like a business executive who is prepared to guide enterprise operations rather than a technical professional it is no accident.

The point of Enterprise Risk Management is to build an organizational model whereby all of the risks inherent in the business can be effectively measured and mitigated from the top. To this end information risks will need to framed and treated in terms of risk to the business.

There are things that an individual CISO can do in the short term to establish themselves as someone who is prepared to be a key player in the ERM function and to reclaim decision rights over information security. These actions will include:

• Take ownership of governing information security investment decisions. Shift decision logic with respect to controls from the solution point to the enterprise level and provide investment guidance in the form of established maturity frameworks, process models, technical architectures and ROI baselines.

• Develop service catalogues and other communication devices to show business leaders information risk is being managed competently and cost-effectively across the enterprise.

• Identify the correct linkages and synergies between the information security program and the risk management, compliance, corporate/operational governance organizations.

• CISO’s must set aside conventional wisdom and determine the optimal division of labor between centralized information security and the business line.

A resourceful CISO will always have the names of “go-to” consultants in their address book however their long term value to the organization rests in their ability to make decisions and drive change. Advisory activities are best left to outside consultants.

Daniel Wallace is a Detroit, MI based information security consultant who has been assisting executives and advising organizations on compliance issues for over 15 years. He can be reached at dwallace@growforwardllc.com

Linkedin - http://www.linkedin.com/in/wallacedan

Twitter – http://twitter.com/dpwallace

*   *   *

Stay Informed With ISR News Feeds and Email Alerts Here: 

The Publisher gives permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author and to Information-Security-Resources.com

Filed under: Breach, D&O Liability, Daniel Wallace, FEATURE ARTICLE, Financial, ISR News, Insider Threat, Sarbanes-Oxley, Uncategorized, due diligence, hackers, identity-theft, malware, privacy 

Comments

• ISR Headline Index

  • Hackers Lurking in Hotel Networks
  • 7 Month Vulnerability in Windows Virtual PC
  • How to Secure a Cisco Router
  • On HTML Insecurities…
  • When Social Networking Clashes with Security
  • Spam Block: Public Servants or Vigilantes?
  • Sticky Situations in Social Media
  • Quick Tips for Using Secure Shell
  • Consolidate Compliance With Open Source
  • DoS Attack Reveals Widespread Vulnerabilities
  • Study Shows Employees Put Data at Risk
  • Tracking Google’s Script Kiddie Hackers
  • Newbie Introduction to Digital Forensics Part 2
  • Simple Log Review Checklist Released
  • Press F1 for Help? Microsoft Zero Day Threat!

• Recent Comments

  • Ryan Aslett on Data Loss Prevention Has Jumped the Shark
  • Tom on (Lack Of) Encryption and The HITECH Act
  • ADMIN on Patriot Hacker Hits Jihad With DDoS Attacks
  • Robert Siciliano on Data Loss Prevention Has Jumped the Shark
  • Karen J. Cox on Data Loss Prevention Has Jumped the Shark
  • Scot McLeod on Outsourcing Breach Response Lowers Costs
  • John Marke on Gartner Tells CIOs to Embrace Social Media
  • Social Engineering and Enterprise Security | CIO – Blogs and … | Enterprise Engineering Addict on Gartner Tells CIOs to Embrace Social Media
  • From Russia, With Smartphones on Top 8 Social Media Security Threats
  • Judith Hoffman on Scam Alert: Rogue Gmail Account Phishing
• 
  

  Information Security Resources

  Top network security blogs

• Categories

  • Anthony M. Freed (26)
  • Bill Brenner (2)
  • Bob Violino (1)
  • Bozidar Spirovski (23)
  • Breach (540)
  • Britt Womelsdorf (5)
  • By Dr. InfoSec (2)
  • Cara Garretson (7)
  • CCCNews (1)
  • Chorey Taylor & Feil (8)
  • Christophe Veltsos (2)
  • Christopher Burgess (7)
  • CIOZone (26)
  • Class Action Lawsuit (111)
  • Cloud computing (113)
  • Coby Royer (5)
  • CTO Forum (9)
  • D&O Liability (601)
  • Daniel Wallace (5)
  • Danny Lieberman (11)
  • DataLine (10)
  • David Alexander (2)
  • Derek Crawford (1)
  • Doug Pollack (7)
  • due diligence (310)
  • Fame Foundry (1)
  • FEATURE ARTICLE (428)
  • Financial (587)
  • Fred Leland (7)
  • Gene Kim (3)
  • Government (373)
  • Greg George (5)
  • H1N1 (15)
  • hackers (539)
  • healthcare (134)
  • Heather Bourgoin (1)
  • HomeATM (8)
  • identity-theft (535)
  • IDExperts (17)
  • Ike Z. Devji (1)
  • Infosec Island Network (38)
  • Insider Threat (490)
  • Internet Crime Complaint Center (1)
  • Internet Security Alliance (71)
  • ISR News (321)
  • Jacqueline Herships (2)
  • Jenni Hesterman (3)
  • John M. Salomon (2)
  • John Watkins (7)
  • John-Patrick Skaar (2)
  • Kaliber Data Security and Compliance Consultants (3)
  • Kat Sanders (2)
  • Ken Leeser (3)
  • Kevin L. Jackson (10)
  • Kevin M. Nixon (21)
  • Larry Ketchersid (1)
  • Laton McCartney (7)
  • Lauren Taylor (1)
  • Linda McGlasson (1)
  • malware (501)
  • Mark Smail (1)
  • Mark Wright (1)
  • Mel Duvall (3)
  • Michael Eggebrecht (3)
  • Michael Lohr (1)
  • Michael O'Conner (4)
  • MicroSolved (1)
  • Mike Duncan (3)
  • Mike Meikle (4)
  • Mike Spinney (1)
  • Military (211)
  • national security (453)
  • PCI (308)
  • PCI Security Standards Council (32)
  • Physical Security (11)
  • privacy (552)
  • Rachel James (10)
  • reach (11)
  • Rebecca Herold (16)
  • Richard Stiennon (44)
  • Robert Siciliano (34)
  • Sarbanes-Oxley (502)
  • ScamStop (2)
  • Sean Wilkins (2)
  • Semyon Dukach (1)
  • Simon Heron (14)
  • Software Associates (11)
  • Steven Fox (19)
  • SUPERAntiSpyware (3)
  • Sybase (6)
  • Symplified (5)
  • The Jester (8)
  • The Privacy Professor (16)
  • Thomas R. Fox (8)
  • Tom Groenfeldt (2)
  • Tom McLain (2)
  • Trefis (14)
  • Tripwire (18)
  • Uncategorized (621)
  • virtualization (101)
  • Webcast (49)